Failing to properly encode the output, the default TYPO3
Exception Handler is susceptible to Cross-Site Scripting. We
are not aware of a possibility to exploit this vulnerability
without third party extensions being installed that put user
input in exception messages. However, it has come to our
attention that extensions using the extbase MVC framework can
be used to exploit this vulnerability if these extensions
accept objects in controller actions.

It has been discovered that TYPO3 Core is vulnerable to Cross-Site
Scripting, Information Disclosure, Insecure Unserialize leading to
Arbitrary Code Execution.

TYPO3 Backend Help System - Due to a missing signature (HMAC) for a
parameter in the view_help.php file, an attacker could unserialize
arbitrary objects within TYPO3. We are aware of a working exploit,
which can lead to arbitrary code execution. A valid backend user
login or multiple successful cross site request forgery attacks are
required to exploit this vulnerability.

TYPO3 Backend - Failing to properly HTML-encode user input in
several places, the TYPO3 backend is susceptible to Cross-Site
Scripting. A valid backend user is required to exploit these
vulnerabilities.

TYPO3 Backend - Accessing the configuration module discloses the
Encryption Key. A valid backend user with access to the
configuration module is required to exploit this vulnerability.

TYPO3 bundles and uses an external JavaScript and Flash Upload Library
called swfupload. TYPO3 can be configured to use this Flash uploader.
Input passed via the "movieName" parameter to swfupload.swf is not
properly sanitised before being used in a call to
"ExternalInterface.call()". This can be exploited to execute arbitrary
script code in a user's browser session in context of an affected site.
The existance of the swfupload library is sufficient to be vulnerable
to the reported problem.

TYPO3 Backend History Module - Due to missing encoding of user
input, the history module is susceptible to SQL Injection and
Cross-Site Scripting. A valid backend login is required to exploit
this vulnerability. Credits go to Thomas Worm who discovered and
reported the issue.

TYPO3 Backend API - Failing to properly HTML-encode user input the
tree render API (TCA-Tree) is susceptible to Cross-Site Scripting.
TYPO3 Versions below 6.0 does not make us of this API, thus is not
exploitable, if no third party extension is installed which uses
this API. A valid backend login is required to exploit this
vulnerability. Credits go to Richard Brain who discovered and
reported the issue.

Failing to properly encode the output, the default TYPO3
Exception Handler is susceptible to Cross-Site Scripting. We
are not aware of a possibility to exploit this vulnerability
without third party extensions being installed that put user
input in exception messages. However, it has come to our
attention that extensions using the extbase MVC framework can
be used to exploit this vulnerability if these extensions
accept objects in controller actions.

TYPO3 bundles and uses an external JavaScript and Flash Upload Library
called swfupload. TYPO3 can be configured to use this Flash uploader.
Input passed via the "movieName" parameter to swfupload.swf is not
properly sanitised before being used in a call to
"ExternalInterface.call()". This can be exploited to execute arbitrary
script code in a user's browser session in context of an affected site.
The existance of the swfupload library is sufficient to be vulnerable
to the reported problem.